Untitled

What to look for
in a Fraud Detection System

A White Paper by Jeffrey C. Hodgson

This analysis began with the premise that the ideal Fraud Management System (FMS) is theoretically possible. Telephony customers were interviewed. Commercial fraud detection systems were analyzed, their strengths and weaknesses cataloged --patterns emerged.

As a background to what prompted this analysis, the FMS industry has changed dramatically over the last decade with more FMSs, new technology, more functions, more criminals with new and old tricks, more rather than less telephony companies, etc., and often as with these kinds of changes one can lose sight of the "Basics." So as to NOT lose sight of these basics, this white paper is offered.

#1 Basic FMS is a fraud control "tool," -- Merriam-Webster Dictionary defines a tool as - "something (as an instrument or apparatus) used in performing an operation or necessary in the practice of a vocation or profession."

So as with any tool, it must improve production (Production is used here to mean getting the right results.) Improving production within the fraud arena would translate to the improvement of the Telco's material welfare and the reduction of the material welfare of the fraudsters. Improving a Telco's material welfare would mean a positive and ongoing Return-on-Investment (ROI). They would get more than what they invest and the ROI would continue to increase. Besides the financial part of ROI, benefits must also be included, specifically tangible, semi- tangible and non-tangible benefits.

In order to improve production of a fraud management center, the FMS (tool) must be fast, it must be secure, it must be easy to use and it must analyze and measure accurately. If the tool takes too much time to learn, takes too much to maintain, cost too much to administer and is too hard to use then it will reduce production.

We have all seen tools becoming fancier and fancier, doing many things, promising too much rather than getting better, faster, easier and cheaper.

The following are major decision elements to review when evaluating FMSs.

On-line and Real-time Operation

The telephony and computer industry defines "real-time" as 3 seconds or less. CDRs should be analyzed before they hit the system disks. Fraud parameters should be in RAM (75 times faster than disk) so traffic analysis and alarms are effectively instant.

On-line Historical Database and Analysis

This helps investigators determine if the anomaly is fraud or honest usage outside expected bounds. Records can also be used to help prosecute. Although "Relational Databases" are good for reports and ad-hoc queries, they are costly and slow a system down.

30 to 365 Day On-line Historical Database Time Span

Fraud investigators can check anomalous patterns against calls from the same time last year, last month, last week or last day. Management can analyze network-wide calling patterns and plan for future growth.

On-line/real-time Hot List or Hot Number Rules

User defined Hot Lists or Hot Numbers are a basic feature, monitoring calls to or from specific numbers, areas, or countries. Many carriers maintain hot lists of telephone sex lines as the users of these lines are notorious for non-payment or fraudulent use. Hot list can be used for calls to certain countries they are prone to problems and fraud.

On-line/real-time Rules for any Number of Investigators, Using Advanced Logic

Like Hot Lists or Hot Numbers, rules isolate and report known problems and permutations of any set of CDR parameters can be set to alarm. If the trouble comes on late weekend nights, from a given city, to a given country, through a given reseller, rules-based logic spots it. Hot Lists/Hot Numbers and rules are useful in law enforcement, with proper court authorization.

Analysis Across All Switches

Switches do not communicate with each other, so fraud patterns that spread over many switches can be invisible. Network-wide data can be gathered and correlated using cross-analysis.

Automatic Self-Learning

A system that learns the calling habits or patterns of each line of service is many times more effective than one using only thresholds, no matter how programmable. Usage technology inspects the finest level of granularity, not a statistical extrapolation. Criminals undercut thresholds and change hot listed numbers. Pattern recognition technologies do not require the purchase of different modules for different services offered. This approach works equally well in wireless systems.

How is FMS Affected by New Legislation?

New rules brought new games. Will most fraud systems' software need to be rewritten? Will it support number portability when a business customer moves from New York to Boise, but must keep their New York phone number, which they may now legally use in Boise? What of service portability when the customer prefers the previous provider's contract?

Now fraudsters have learned that new laws don't require payment for calls made before a contract is signed. Delaying signature by various excuses, then skipping from provider to provider offers months of legally free service. Can the FMS detect abuse of the new requirements to reimburse pay phone owners for every 800 number called?

Switch Hacking Alarms

Before misuse, hackers must penetrate a switch. In doing so, they leave telltale usage patterns. Alarming the actual hacking process early thwarts misuse and discourages or redirects criminal efforts.

Daily Analysis Reports

Long duration domestic, long duration international, multiple 1+ calls to same number, multiple invalid calls to same number, simultaneous usage, and geographic international calls can all be included in daily analysis reports.

In one memorable example of PBX fraud, the United States Drug Enforcement Agency (DEA) in Houston was bilked for $2 million by thieves who stole their remote access codes. Using a local number given to all DEA employees, hackers discovered codes by multiple calls and trial and error. For 18 months, they placed long-distance calls on the DEA's account before a telephone company investigation-not a DEA audit-discovered them. Better fraud detection would have averted a much-echoed belly laugh among the criminal element at the expense of a government agency.

Case and Alarms Escalation-Frequency and Severity

Programmable case and alarm frequency and severity ensure the right response to each individual fraud alarm and case.

Automatic Paging for Fraud Cases and System/network Malfunction

Alert notifications should differentiate between malfunction of the fraud system itself, low-level fraud, and a severe hit. Cases and automatic paging should escalate if no one responds. An escalating pager alarm foiled a weekend hit that would have reached $400,000 by Monday. First, it notified a Supervisor, and if the Supervisor failed to respond, the Manager was paged.

Secured Remote Access for Case Handling and System Management

The Analysts and Managers should be able to remotely terminate misuse. Because hacking can occur at any time, security personnel must control the system even when out of town or off work.

Self-monitoring System

The fraud system should monitor its own internal activities for malfunction, penetration and performance.

Traffic Subsystems Alarms

Each subsystem on the network should be monitored separately for fraud and data stream anomalies. When time stamps on CDRs are 90 minutes behind, there is a 90-minute fraud window. If the stream is cut, the switch may have been entirely taken over or delayed - Bingo! another fraud window opens.

In early April 1999, a small company was contacted by its local exchange carrier's fraud detection division regarding 2,300 minutes of calls to the Middle East. Crooks got into the building's junction box, clipped on, and re-routed a line. Fraud should be alarmed long before 40 hours of service is stolen.

CDR Monitoring for the FMS

A CRITICAL element to fraud control is the timely arrival of CDRs to the FMS. If it is slowed or stopped the fraud center needs to know NOW! It would be essential to have a real-time CDR monitor that tells the Analysts or Investigators what the status and time delay is of CDR traffic by switch.

Automatic Blocking or Shut Down of Violations

Industry sources estimate that up to 70 percent of fraud is perpetrated by, or unwittingly abetted by carrier employees. Some are profit motivated, some disgruntled, some just coerced into giving out information.

Automatic but flexible system response allows increasing gradients of automatic blocking (temporary) and deactivation (permanent).

One Los Angeles Company with a large pager-carrying staff was hit by $9,000 in beeper callback scams. Unless calls to offending numbers are automatically blocked, crooks just wait a few days, and then page a new set of employees.

In-system Backup Power Supply

The computer room or building's backup power is not enough. Without guaranteed backup power for the fraud management system, hackers can get inside your network during a ten-minute blackout, during which time they learn secrets that they reuse and sell for months.

CDR Duplicate Missing Count, and Error Correction Monitor

A well-designed fraud system can help trace errors in the call accounting and billing process by checking for dropped, overwritten, duplicate, or corrupted CDRs. One long distance carrier's fraud system detected a 3.76 percent error rate in billing data. Reclaimed revenue was $7.5 million annually.

Case Manager of FMS Should Self-learn from the Actions of the Investigators

After an Investigator evaluates a Case and determines that it should be watched, but only after the violations are worst. The Case Manager should provide this kind of automatic learning rather than handling the Case over and over again.

Case Manager Should Alert an Investigator if a Customer's Status Changes.

A new customer may not have established standard calling patterns. Until these are established, default thresholds should automatically check unusual telecommunications activity. A reliable pattern should be built up between three and thirty days and refined dynamically.

Also, as a customer goes through their life cycle, the fraud system should alert any changes of the customer or account status.

Fraud Management for Other Operating Divisions, Resellers, Agents, etc.

Fraud prevention can be a profit center. Divisions and separate carriers can be billed for the anti-fraud service. If the system is designed right, each can have controlled access to its own fraud data.

A long distance reseller with Usage technology detected internal fraud on its wholesaler's network and reported it, pinpointing exactly where the fraud originated. Even with these clues, the wholesaler's system couldn't verify any fraud so the reseller's warning was ignored. Months later, the large wholesaler quietly wrote off tens of millions of dollars of internal fraud from the area reported.

Capacity, Speed, and Scalability

There are capacity and speed issues for the hardware and the software. Each needs to be tested and verified with various levels of users. Have you ever heard a vendor say "the system won't scale." The truth of the matter is hardware is generally designed to scale, but software often isn't, unless the software architecture and design allows for scalability.

The number of screens to be used by the Investigators or Analysts should be less than five, with 3-4 being optimum. The timing between screens should be tested along with the capacity and processing speeds. Ideally, screen changes should take less than four seconds.

Processing speeds should be 2000 to 3000 CDRs per second with catch-up speeds at double that, in order to handle delayed CDRs, slowed networks or switches.

False Positive Ratio

This metric is probably the most important when evaluating productivity. It means the number of actual fraud cases that are handled versus the number of cases an Analyst or Investigator has to view. Most systems run a False Positive Ratio of 100 to 1 (100:1), but a higher productivity metric should be in the range of 5: to 10:1.

One Hundred percent of CDRs Analyzed

Random sampling works well in opinion polls, not in fraud detection. A pollster using the right demographics can sample 1 percent of the nation and get good accuracy. Fraud systems sampling one percent of the calls leave a ninety-nine percent fraud-hole.

Because many systems send a beefed-up PC or in some cases a mini-computer running 32bit technology to do a big system's job, call sampling is a common work-around. It hardly hinders a hacker to be detected 1 percent or even 20 percent of the time. The solution is thorough coverage. As one carrier put it, "I'm tired of plinking at these guys, I want to carpet-bomb!" Other work-arounds are limiting the number of alarms, limiting the number of cases. Some carriers jack the thresholds up high so the amount of alarms is reduced - unfortunately, you have just put more cash in the fraudsters' pockets.

Support for all Types of Mixed Switches on Same Network

One fraud system should accommodate modern networks' acquired amalgam of different vendors' equipment. Using a single fraud installation for every entity likewise facilitates future acquisitions and mergers. Also the ideal FMS would be able to handle any kind of Feed without the carrier having to modify its CDRs. Raw, binary CDRs are always preferable over "cooked" CDRs.

Hook in at Network, Switch, or SS7 level

Moving data collection points to switches or SS7 gives the ability to exactly monitor suspicious activity in outlying trouble areas without waiting for CDRs to reach the network. Control measures are also faster.

Customizable to fit the Specific Operating Requirements, Product Mix and Network Configuration of Each Customer

Network configuration and operating requirements are based on what is wanted and needed for each carrier. Information on current and anticipated growth over three years on switch numbers, subscriber volume, CDR volume, and method of delivery are just a few areas available for customization. Acquisitions and mergers can impact the FMS. The key here is the software architecture was written to make customization easy without a MAJOR re-write of the software.

Military Security Level Certified: C2

Briefly, C2 is the highest level of commercial security possible without excessive physical-plant construction costs such as one-inch lead walls, etc.

Hacker-proof Computer Operating System

A prime requirement for an operating system that cannot be hacked is that its source code has never been sold or stolen. New ownerships beget unauthorized copies and knowledge of backdoors.

System Platform and Operating System use 64-bit Technology

As traffic grows, 32-bit computers cannot compete with the increased fraud load. Wider data paths and software that is more robust enable thorough fraud processing, not sampling or slower processing speeds.

Automatic Fail-over or Restart of System Including CPUs, Memory, and Disks

Because it is unrealistic to expect any system to never fail, auto-restart should be fast, smooth, and require a minimum of human intervention. And a "hot" standby system is a must.

Disaster Recovery Hot Site

Find out if the system provider accepts and processes your CDRs in real time if the fraud system malfunctions or during natural or civil disasters.

Hardware and Software Support

Always look for support that is fast and seamless. Support needs to cover all critical areas - application software, hardware, user support, and network support. What's the response time? Is it 24x365 or 24X7? Is the support continuous until resolved? What's the status of hardware spare parts? If the support is not of the highest level in all areas, evaluate the "holes" and assessing the maximum potential risk (in dollars) if the system can't handle the traffic or the load or the system is not up.

99.9 percent Availability and Uptime

Remember, telephone criminals share and attack soft targets. If the CDRs aren't being processed, or the FMS is unavailable to the users or the FMS is down, you are a soft target.

Establish Price/Performance Selection Criteria

One simple yardstick is CDRs per second per dollar of system cost. A FMS is as effective as the lost money it puts back in circulation within the carrier. This is difficult to reckon because the full costs of telephone fraud are as invisible as the amount of undetected fraud on the network. While a thorough approach to fraud curtailment is expensive, one should determine its value not in cash out, but in reclaimed revenue. As fraud is stopped, its direct and indirect costs should disappear. Because carriers have already built fraud's many expenses into their cost of doing business, cutting fraud makes un-spent dollars reappear in many budgets.

Reckoning your total system cost
Cost of acquisition, cost to manage and support, and the eventual cost to upgrade must be included in all system cost analyses.

Cost of fraud investigation staff is a factor. When a report tells the exact routing, telephone numbers and times of day where fraud is occurring, case load can increase because investigators hit the bull's eye faster.

One case began with a user twice complaining that voluminous long-distance calling card usage was not his. Reports linked two phone numbers on the card to two that he called from home, leading investigators to learn that the complainer had started a new venture. The calls he denied were his business calls. This precision shows that as a Telco grows, its fraud staff need not, the tool is ALWAYS helping to keep fraud costs down!

As recent study by joint study by Deloitte Touche and IDG of CIOs found that:

Nine out of 10 IT executives say that IT value is either critical or very important to their company.
Two out of every three respondents acknowledge that IS groups have not been successful in measuring and communicating IT value.
Nearly half the respondents say that executive management consistently understates the value of IT solutions.

Delivery and Installation Time

Normal delivery time for a standard system installation shouldn't be longer than 60 days. Outsourcing the FMS tool is also an option, if it is set up right installation, training and configuration shouldn't take more than 30 days.

Fraud Costs Less than 0.1 percent of Revenues

At first, the unspent money reclaimed from stopping fraud pays back the provider for the fraud system's initial cost. That done, reclaimed money is essentially fresh revenue.

Oddly, the length of the payback curve in weeks or months is a direct function of the fraud system's clamp-time in minutes or seconds. When the crooked authcodes that criminals buy for XYZ Network shut down after three calls-not after the hoped-for two weeks' usage-crooks simply refuse to buy more authcodes for that network. Fraud can diminish within days, essentially stop within weeks.

Fraud losses dropping is the key, but bad debt losses should be dropping as well, since 45% to 70% of bad debt is usually fraud.

Assessment of the FMS vendor

Lastly, there should always be an assessment of the vendor who supplies the FMS. Here's some things to look for:

How long has the FMS vendor or FMS been in a working state with installations?
What's the Technical staff turn-over?
What's the Executive staff turnover?
What's the Owner turnover?
How many customers/installations has the vendor lost?
Where did the lost customer go, other vendors or was the FMS taken and developed inside?
What's the vendor's customer retention ratio? Less than 70% is not good.
What percentage of the vendor's revenues comes from the FMS ? Less than 55% is not good.
Is the FMS portion of the vendor's business a profit center?
If the vendor has multiple profit centers, where does the FMS fit? Is it the top or the bottom? The bottom would not be good for longevity purposes
Financial stability, financial size doesn't always mean stability.
How much is invested in R&D to enhance the FMS?

Trademark Notice: "Fraud Prevention SmartSystem," and "Usage Signature"
are Trademarks of Beck Computer Systems, Inc.